fix(hosting-cli): restrict gcp deploy env, add --no-interactive, extract constants

Address PR feedback:

- Restrict the deploy script's environment to an allowlist of host vars
  (PATH, HOME, gcloud/docker config, proxy/TLS) plus the explicit deploy
  overrides. Prevents a tampered or compromised flexgen manifest from
  exfiltrating unrelated host secrets like AWS_*/GITHUB_TOKEN.
- Add --interactive/--no-interactive (default true) so the command works
  in CI. In non-interactive mode the run prompt is skipped, and an
  existing Dockerfile errors out unless --overwrite-dockerfile is set.
- Extract env-var keys and manifest field names into module-level
  constants per project convention.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kastier1

packages/reflex-hosting-cli/src/reflex_cli/v2/gcp.py

@@ -26,6 +26,60 @@
 
 DOCKERFILE_NAME = "Dockerfile"
 
+# Environment variables passed to the deploy script.
+ENV_GCP_PROJECT = "GCP_PROJECT"
+ENV_GCP_REGION = "GCP_REGION"
+ENV_SERVICE_NAME = "SERVICE_NAME"
+ENV_AR_REPO = "AR_REPO"
+ENV_VERSION = "VERSION"
+
+# Manifest response field names from flexgen.
+FIELD_DOCKERFILE = "dockerfile"
+FIELD_DEPLOY_COMMAND = "deploy_command"
+
+# Allowlist of host environment variables forwarded to the deploy script.
+# We deliberately exclude things like AWS_*/GITHUB_TOKEN/SSH agent sockets so a
+# compromised or tampered manifest cannot exfiltrate unrelated credentials.
+DEPLOY_ENV_ALLOWLIST = frozenset({
+    "PATH",
+    "HOME",
+    "USER",
+    "LOGNAME",
+    "SHELL",
+    "TERM",
+    "LANG",
+    "LC_ALL",
+    "LC_CTYPE",
+    "TMPDIR",
+    "TEMP",
+    "TMP",
+    "XDG_CONFIG_HOME",
+    # gcloud configuration
+    "CLOUDSDK_CONFIG",
+    "CLOUDSDK_ACTIVE_CONFIG_NAME",
+    "CLOUDSDK_CORE_PROJECT",
+    "CLOUDSDK_CORE_ACCOUNT",
+    "CLOUDSDK_AUTH_ACCESS_TOKEN_FILE",
+    "GOOGLE_APPLICATION_CREDENTIALS",
+    # docker configuration
+    "DOCKER_HOST",
+    "DOCKER_TLS_VERIFY",
+    "DOCKER_CERT_PATH",
+    "DOCKER_CONFIG",
+    "DOCKER_BUILDKIT",
+    # corporate proxy / TLS trust
+    "HTTP_PROXY",
+    "HTTPS_PROXY",
+    "NO_PROXY",
+    "http_proxy",
+    "https_proxy",
+    "no_proxy",
+    "SSL_CERT_FILE",
+    "SSL_CERT_DIR",
+    "REQUESTS_CA_BUNDLE",
+    "CURL_CA_BUNDLE",
+})
+
 
 @click.group()
 def gcp_cli():
@@ -78,6 +132,12 @@ def gcp_cli():
     help="Overwrite an existing Dockerfile without prompting.",
 )
 @click.option("--token", help="The Reflex authentication token.")
+@click.option(
+    "--interactive/--no-interactive",
+    is_flag=True,
+    default=True,
+    help="Whether to prompt before overwriting the Dockerfile and running the script.",
+)
 @click.option(
     "--dry-run",
     is_flag=True,
@@ -99,6 +159,7 @@ def gcp_deploy(
     source_dir: str,
     overwrite_dockerfile: bool,
     token: str | None,
+    interactive: bool,
     dry_run: bool,
     loglevel: str,
 ):
@@ -112,7 +173,7 @@ def gcp_deploy(
     console.set_log_level(loglevel)
 
     authenticated_client = hosting.get_authenticated_client(
-        token=token, interactive=True
+        token=token, interactive=interactive
     )
 
     bash_path = shutil.which("bash")
@@ -154,11 +215,11 @@ def gcp_deploy(
 
     version_value = version_tag or datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
     deploy_env = {
-        "GCP_PROJECT": gcp_project,
-        "GCP_REGION": region,
-        "SERVICE_NAME": service_name,
-        "AR_REPO": ar_repo,
-        "VERSION": version_value,
+        ENV_GCP_PROJECT: gcp_project,
+        ENV_GCP_REGION: region,
+        ENV_SERVICE_NAME: service_name,
+        ENV_AR_REPO: ar_repo,
+        ENV_VERSION: version_value,
     }
 
     console.info("Received deploy manifest from flexgen.")
@@ -172,6 +233,10 @@ def gcp_deploy(
     console.print("─" * 60)
     console.print(deploy_script)
     console.print("─" * 60)
+    console.info(
+        f"The script runs with a restricted env (only {len(DEPLOY_ENV_ALLOWLIST)} "
+        "allowlisted host variables forwarded plus the deploy variables above)."
+    )
 
     if dry_run:
         console.print("")
@@ -182,13 +247,20 @@ def gcp_deploy(
         console.info("Dry run — nothing written or executed.")
         return
 
-    if not _write_dockerfile(dockerfile_path, dockerfile, overwrite_dockerfile):
+    if not _write_dockerfile(
+        dockerfile_path, dockerfile, overwrite_dockerfile, interactive
+    ):
         raise click.exceptions.Exit(1)
 
-    answer = console.ask("Run the deploy script now?", choices=["y", "n"], default="y")
-    if answer != "y":
-        console.warn("Aborted by user. The Dockerfile has been written for later use.")
-        raise click.exceptions.Exit(1)
+    if interactive:
+        answer = console.ask(
+            "Run the deploy script now?", choices=["y", "n"], default="y"
+        )
+        if answer != "y":
+            console.warn(
+                "Aborted by user. The Dockerfile has been written for later use."
+            )
+            raise click.exceptions.Exit(1)
 
     exit_code = _run_deploy_script(
         bash_path=bash_path,
@@ -284,31 +356,44 @@ def _request_manifest(token: str) -> tuple[str, str]:
         console.error("Flexgen returned an unexpected response shape.")
         raise click.exceptions.Exit(1)
 
-    dockerfile = body.get("dockerfile")
-    deploy_command = body.get("deploy_command")
+    dockerfile = body.get(FIELD_DOCKERFILE)
+    deploy_command = body.get(FIELD_DEPLOY_COMMAND)
     if not isinstance(dockerfile, str) or not dockerfile.strip():
-        console.error("Flexgen response is missing a non-empty 'dockerfile' field.")
+        console.error(
+            f"Flexgen response is missing a non-empty {FIELD_DOCKERFILE!r} field."
+        )
         raise click.exceptions.Exit(1)
     if not isinstance(deploy_command, str) or not deploy_command.strip():
-        console.error("Flexgen response is missing a non-empty 'deploy_command' field.")
+        console.error(
+            f"Flexgen response is missing a non-empty {FIELD_DEPLOY_COMMAND!r} field."
+        )
         raise click.exceptions.Exit(1)
 
     return dockerfile, deploy_command
 
 
-def _write_dockerfile(path: Path, contents: str, overwrite: bool) -> bool:
-    """Write the Dockerfile to disk, prompting before overwriting.
+def _write_dockerfile(
+    path: Path, contents: str, overwrite: bool, interactive: bool
+) -> bool:
+    """Write the Dockerfile to disk, prompting before overwriting in interactive mode.
 
     Args:
         path: Where to write the Dockerfile.
         contents: The Dockerfile body.
         overwrite: If True, overwrite without prompting.
+        interactive: If False, never prompt; require `overwrite` when the file exists.
 
     Returns:
         True on success, False if the user declined to overwrite or write failed.
 
     """
     if path.exists() and not overwrite:
+        if not interactive:
+            console.error(
+                f"{path} already exists. Pass --overwrite-dockerfile to replace it "
+                "in non-interactive mode."
+            )
+            return False
         answer = console.ask(
             f"{path} already exists. Overwrite?", choices=["y", "n"], default="n"
         )
@@ -335,17 +420,25 @@ def _run_deploy_script(
 ) -> int:
     """Run the bash deploy script, streaming output to the user's terminal.
 
+    The script's environment is restricted to ``DEPLOY_ENV_ALLOWLIST`` (plus the
+    explicit ``env_overrides``) so unrelated host secrets like ``AWS_*`` or
+    ``GITHUB_TOKEN`` cannot be exfiltrated by a tampered or compromised manifest.
+
     Args:
         bash_path: Resolved path to the bash executable.
         script: The bash script body received from flexgen.
         cwd: Working directory to run the script in.
-        env_overrides: Environment variables to layer on top of the parent env.
+        env_overrides: Environment variables required by the deploy script.
 
     Returns:
         The exit code of the bash process.
 
     """
-    env = os.environ.copy()
+    env = {
+        name: value
+        for name, value in os.environ.items()
+        if name in DEPLOY_ENV_ALLOWLIST
+    }
     env.update(env_overrides)
     try:
         result = subprocess.run(

tests/units/reflex_cli/v2/test_gcp.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os
 from pathlib import Path
 from unittest import mock
 
@@ -294,6 +295,117 @@ def test_gcp_deploy_default_version_is_timestamp(mocker: MockFixture, tmp_path:
     assert version.replace("-", "").isdigit()
 
 
+def test_gcp_deploy_no_interactive_skips_run_prompt(
+    mocker: MockFixture, tmp_path: Path
+):
+    run_mock = _patch_environment(mocker)
+    _mock_manifest_response(mocker)
+
+    result = runner.invoke(
+        hosting_cli,
+        [
+            "gcp",
+            "deploy",
+            "--gcp-project",
+            "p",
+            "--source",
+            str(tmp_path),
+            "--no-interactive",
+            "--token",
+            "fake-token",
+        ],
+    )
+
+    assert result.exit_code == 0, result.output
+    assert (tmp_path / "Dockerfile").read_text() == DOCKERFILE
+    assert run_mock.call_count == 1
+
+
+def test_gcp_deploy_no_interactive_refuses_to_overwrite_without_flag(
+    mocker: MockFixture, tmp_path: Path
+):
+    run_mock = _patch_environment(mocker)
+    _mock_manifest_response(mocker)
+    existing = tmp_path / "Dockerfile"
+    existing.write_text("FROM existing\n")
+
+    result = runner.invoke(
+        hosting_cli,
+        [
+            "gcp",
+            "deploy",
+            "--gcp-project",
+            "p",
+            "--source",
+            str(tmp_path),
+            "--no-interactive",
+            "--token",
+            "fake-token",
+        ],
+    )
+
+    assert result.exit_code == 1
+    assert "--overwrite-dockerfile" in result.output
+    assert existing.read_text() == "FROM existing\n"
+    assert run_mock.call_count == 0
+
+
+def test_gcp_deploy_env_is_restricted_to_allowlist(mocker: MockFixture, tmp_path: Path):
+    """Verify the script env excludes host secrets and only includes allowlisted vars."""
+    from reflex_cli.v2 import gcp as gcp_module
+
+    mocker.patch(
+        "reflex_cli.utils.hosting.get_authenticated_client",
+        return_value=hosting.AuthenticatedClient(token="fake-token", validated_data={}),
+    )
+    mocker.patch(
+        "reflex_cli.v2.gcp.shutil.which", side_effect=lambda n: f"/usr/bin/{n}"
+    )
+    mocker.patch(
+        "reflex_cli.v2.gcp._get_active_gcp_account", return_value="u@example.com"
+    )
+    _mock_manifest_response(mocker)
+
+    captured: dict[str, dict[str, str]] = {}
+
+    def fake_run(*args, **kwargs):
+        captured["env"] = kwargs["env"]
+        return mock.MagicMock(returncode=0)
+
+    mocker.patch("reflex_cli.v2.gcp.subprocess.run", side_effect=fake_run)
+    mocker.patch.dict(
+        os.environ,
+        {
+            "PATH": "/usr/bin",
+            "HOME": "/home/test",
+            "AWS_SECRET_ACCESS_KEY": "should-not-leak",
+            "GITHUB_TOKEN": "also-secret",
+            "DOCKER_HOST": "unix:///var/run/docker.sock",
+            "MY_RANDOM_VAR": "should-not-leak",
+        },
+        clear=True,
+    )
+
+    result = runner.invoke(
+        hosting_cli,
+        ["gcp", "deploy", "--gcp-project", "p", "--source", str(tmp_path)],
+        input="y\n",
+    )
+
+    assert result.exit_code == 0, result.output
+    env = captured["env"]
+    # Allowlisted host vars are forwarded.
+    assert env["PATH"] == "/usr/bin"
+    assert env["HOME"] == "/home/test"
+    assert env["DOCKER_HOST"] == "unix:///var/run/docker.sock"
+    # Deploy overrides are present.
+    assert env[gcp_module.ENV_GCP_PROJECT] == "p"
+    # Host secrets are NOT forwarded.
+    assert "AWS_SECRET_ACCESS_KEY" not in env
+    assert "GITHUB_TOKEN" not in env
+    assert "MY_RANDOM_VAR" not in env
+
+
 @pytest.fixture(autouse=True)
 def _no_log_level_side_effects(mocker: MockFixture):
     mocker.patch("reflex_cli.utils.console.set_log_level")